Researcher Finds Public GitHub Repo Exposing Sensitive CISA Credentials
5/23/202627 min
The episode recounts how GitGuardian security researcher Guillaume Valadon, while monitoring public GitHub for leaked secrets, discovered a publicly accessible repository labeled "CISA-Private" containing highly sensitive CISA materials, including internal DHS/CISA credentials, cloud keys, tokens, plaintext passwords, logs, and files such as "Important AWS Tokens" and a CSV listing usernames and passwords for internal systems. Believing a contractor likely used GitHub to move work from a work device to a home device, Valadon escalated via responsible disclosure to CERT, then involved journalist Brian Krebs to reach CISA faster when the repo remained public.
After additional outreach, the repository was made inaccessible within about a day, and Valadon praises CISA's response speed. The discussion emphasizes widespread poor secret hygiene, governance, training, and the need for organizations to monitor, rehearse, and automate detection and revocation of leaked secrets.
Cybersecurity Today would like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email, identity, and data threats inside Google Workspace and Microsoft 365. You can contact them at material[dot]security.
00:00 Weekend Welcome Sponsor
00:27 CISA Secrets Leak Found
03:29 Calling Brian Krebs
05:06 Meet GitGuardian Researcher
07:26 Why Leaks Happen Everywhere
10:49 Inside the CISA Repo
13:19 Disclosure and Takedown
17:04 Lessons for Organizations
22:47 Aftermath and Thanks
24:36 Show Wrap Sponsor Outro
Clips
Transcript preview
First 90 secondsJim Love· Host0:00
Welcome to Cyber Security Today on the Weekend. Cyber Security Today would like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email, identity, and data threats inside Google Workspace and Microsoft 365. You can contact them at material.security. Imagine you're a researcher who looks for security issues in repos like GitHub, for instance, and your company constantly scans these public code repositories for exposed secrets, automatically alerting the offending accounts of anybody who has apparent sensitive data exposures. Your company has products and services, but this is one of those corporate good citizen things that you do. Now, you as the researcher are in a hotel room halfway across the world. Suddenly, you come across a folder that's labeled with the name of a US government agency responsible for cybersecurity. The folder name is CISA-Private. Now, at first you think some kind of joke, misunderstanding, just a strange name for a file. I mean, it can't be the Cybersecurity and Infrastructure Security Agency of the United States. That's the agency that is set up to protect government and critical infrastructure